1. Risks, Controls and Security Measures
Chapter 17
Risks, Controls and Security Measures

2. Learning Objectives When you finish this chapter, you will:
Be able to identify the main types of risks to information systems.
List various types of attacks on networked systems
Identify types of controls required to ensure the integrity of data entry and processing and uninterrupted e-commerce.

3. Learning Objectives
Know the principles of how organizations develop recovery plans.
Be able to explain the economic aspects of pursuing information security.

4. Why do we care?
Nearly 20,000 digital attacks* occurred in January 2003
At this rate, we could see 180,000 attacks resulting in $ billion in damages
*mi2g Ltd., a digital risk management firm.

5. Goals of Information Security
Reduce the risk of systems and organizations ceasing operations
Maintain information confidentiality
Ensure the integrity and reliability of data resources
Ensure uninterrupted availability of data resources and online operations
Ensure compliance with national security laws and privacy policies and laws

6. Risks to Information Systems
Causes of systems downtime
Number-one is hardware failure
Fire and theft are the next two contributors
Risks to Hardware
Natural disasters
Blackouts and brownouts
Vandalism

7. Risks to Information Systems
Risks to Applications and Data
Theft of information
Data alteration, data destruction, and defacement
Computer viruses and Logic Bombs
Nonmalicious mishaps

8. Risks to Information Systems
Figure 17.2 Frequency of security breaches in a 12-month period based on a survey of 745 professionals

9. Risks to Online Operations
Denial of Service (DoS)
Too many requests are received to log on to a Web site’s pages
If perpetrated from multiple computers it is called distributed denial of service (DDoS)
Spoofing
Deception of users to make them think they are logged on at one site while they actually are on another

10. Controlling Information System Risks
Controls: Constraints imposed on a user or a system to secure systems against risks.
Figure 17.3 Common controls to protect systems from risk

11. Controlling Information System Risks
Program Robustness and Data Entry Controls
Provide a clear and sound interface with the user
Menus and limits / data input constraints
Backup
Periodic duplication of all data
Access Controls
Ensure that only authorized people can gain access to systems and files
Access codes and passwords
Biometric
An access control unique in physical, measurable characteristic of a human being that is used to identify a person

12. Controlling Information System Risks
Atomic Transactions
Ensures that transaction data are recorded properly in all the pertinent files to ensure integrity

13. Controlling Information System Risks
Audit Trails
Built into an IS so that transactions can be traced to people, times, and authorization information

14. Encryption Authentication
Process of ensuring that the sender and receiver of a message is indeed that person
Original message – plaintext
Coded message – ciphertext
Messages scrambled on sending end; descramble to plain text on receiving end

15. Encryption Strength
Figure 17.6 Estimated time needed to break encryption keys, using $100,000 worth of computer equipment

16. Encryption Distribution Restrictions Public Key encryption Symmetric
Both sender and recipient use same key
Key is referred to as secret key
Asymmetric (also called public key encryption)
Sender is able to communicate key to recipient before message is sent

17. Encryption

18. Encryption
Secure Sockets Layer and Secure Hypertext Transport Protocol ensure online transactions are secure
Pretty Good Privacy – Network Associates product that allows individuals to register for public and private keys

19. Digital signatures and Digital Certificates
Electronic Signatures
Digital Signatures
Different each time you send a message
Digital Certificates
Computer files that serve as the equivalent of ID cards

20. Firewalls
Software whose purpose is to manage access to computing resources
Early firewalls used combination of hardware and software
While firewalls are used to keep unauthorized users out, they are also used to keep unauthorized software or instructions away
Computer viruses and other rogue software
Proxy Servers act as a buffer between internal and external networks

21. Security Standards The Orange Book (DOD)- Four security levels
Decision A: Verify Protection
Decision B: Mandatory Protection
Decision C: Discretionary Protection
Decision D: Minimal Protection or No Protection
The ISO Standard
Common set of requirements for IT product security functions and for assurance measures during security evaluation
Permits comparability between results of independent security tests

22. The Downside of Security Controls
Security measures slow data communications and require discipline that is not easy to maintain
Passwords
Encryption
Firewalls
Drains personnel resources as well…

23. Chief Security Officers

24. Recovery Measures
The Business Recovery Plan – Nine steps proposed for development
Obtain management’s commitment to the plan
Establish a planning committee
Perform risk assessment and impact analysis
Prioritize recovery needs
Select a recovery plan
Select vendors
Develop and implement the plan
Test the plan
Continually test and evaluate

25. Recovery Measures Outsourcing the Recovery Plan
Some companies may choose not to develop their own recovery plan
Small companies may not be able to afford an expensive recovery plan
May opt for a Web-based service

26. Median Amounts of IT Security Budgets by Industry

27. The Economic Aspect of Security Measures
Two types of costs to consider when determining how much to spend on data security:
The cost of potential damage
The cost of implementing a preventive measure

28. The Economic Aspect of Security Measures
Figure The total cost to the enterprise is lowest at “Optimum.” No less, and no more, should be spent on information security measures.